{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/routing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GoBGP"],"_cs_severities":["medium"],"_cs_tags":["gobgp","dos","bgp","routing"],"_cs_type":"advisory","_cs_vendors":["GoBGP"],"content_html":"\u003cp\u003eGoBGP version 4.3.0 is susceptible to a denial-of-service (DoS) vulnerability triggered by malformed BGP UPDATE messages. Specifically, when GoBGP receives an UPDATE message containing an unrecognized Path Attribute marked as \u0026ldquo;Well-known\u0026rdquo; (Optional bit set to 0), the daemon fails to properly handle the error. This leads to a nil pointer dereference, resulting in a panic and subsequent crash of the entire GoBGP process. This vulnerability, disclosed in GHSA-7235-89m6-f4px, can be exploited by any BGP peer, internal or external, sending such a malformed message. This poses a significant risk to network stability as it can disrupt BGP routing and connectivity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a standard BGP session with the targeted GoBGP instance, completing the OPEN/KEEPALIVE exchange.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP UPDATE message.\u003c/li\u003e\n\u003cli\u003eThis UPDATE message includes a Path Attribute with the Optional bit set to 0 (Well-known).\u003c/li\u003e\n\u003cli\u003eThe Path Attribute Type Code is set to an unrecognized value (e.g., 0xEE or 0xFF).\u003c/li\u003e\n\u003cli\u003eThe parsing logic in GoBGP identifies the unrecognized Well-known attribute.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erecvMessageloop\u003c/code\u003e function in \u003ccode\u003epkg/server/fsm.go\u003c/code\u003e fails to halt execution after identifying the malformed attribute.\u003c/li\u003e\n\u003cli\u003eThe code attempts to dereference a nil pointer associated with the invalid message body.\u003c/li\u003e\n\u003cli\u003eThis results in a \u0026ldquo;panic: runtime error: invalid memory address or nil pointer dereference\u0026rdquo;, causing the GoBGP daemon to crash, disrupting BGP routing.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows a remote attacker to cause a denial-of-service condition on GoBGP deployments. A single malformed UPDATE message is sufficient to trigger the crash, affecting all GoBGP instances peering with potentially malicious or compromised BGP speakers. This can lead to routing instability, network outages, and potential data plane disruptions. The affected version, 4.3.0, may be widely deployed in various network environments, making it a significant concern for network operators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect GoBGP Malformed BGP Update\u003c/code\u003e to identify crafted BGP UPDATE messages containing unrecognized Well-known Path Attributes via network traffic analysis.\u003c/li\u003e\n\u003cli\u003eMonitor BGP peer sessions for unexpected disconnects or restarts, which may indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eConsider implementing BGP route filtering and validation mechanisms to mitigate the impact of malformed or malicious UPDATE messages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gobgp-dos/","summary":"A denial-of-service vulnerability exists in GoBGP version 4.3.0 where a malformed BGP UPDATE message containing an unrecognized Well-known Path Attribute triggers a nil pointer dereference, causing the BGP daemon to crash.","title":"GoBGP Remote Denial of Service via Malformed BGP Update Message","url":"https://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Routing","version":"https://jsonfeed.org/version/1.1"}